Topic: acts_as_authenticated secuirty question

I'm using the RESTful acts_as_authenticated and have a question about attr_accessible.
Any fields you want to be changeable by the user you add to attr_accessible such as first_name, last_name etc. I also have a boolean called is_admin which is false by default.

At the moment if a user is an admin and they create a new user they get shown a checkbox for the is_admin field. The is_admin boolean never gets set (of course) unless I put it in the attr_accessible list. Is this safe?

I am assuming not because any user could create a custom request which would make them an admin?

The one solution I can think of at the moment is to protect is_admin in the controller by always setting params[:user][:is_admin] to false unless the current user is an admin themself.

def update
    if current_user.is_admin?
      @user = User.find(params[:id])
    else
      @user = User.find(current_user.id)
      params[:user][:is_admin] = false # protection here
    end
    if @user.update_attributes(params[:user])
      flash[:notice] = "Your changes have been saved."
      redirect_to dashboard_path
    else
      flash[:notice] = "Your changes have not been saved."
      render :action => "edit"
    end
  end

There many be a better way to do this?

Many thanks, Cham.

Thank me by recommending me on WorkingWithRails

Re: acts_as_authenticated secuirty question

I haven't had any experience with acts_as_authenticated, but I think this is probably a more general model question. You want to prevent mass assignment to is_admin, so that a user filling out the form can't pass is_admin=1 as a parameter and turn themselves into an administrator. So in your model, you should do:

attr_protected :is_admin

And then try it yourself:
veraticus = User.create(:name => "Veraticus", :is_admin => "1")
veraticus.is_admin # => nil
veraticus.attributes = {"description" => "Very fun!", "is_admin" => "1"}
veraticus.is_admin # => nil

veraticus.is_admin = 1
veraticus.is_admin # => 1


Only through a direct assignment can a user turn into an administrator.

Last edited by Veraticus (2007-10-08 10:54:29)

Re: acts_as_authenticated secuirty question

Perfect, I really need to look in to the attr_* methods, are these part of ruby or rails?

Thank me by recommending me on WorkingWithRails

Re: acts_as_authenticated secuirty question

They are part of rails.


Not that this was part of your question but you could also write that above code like this:

 def update
     params[:user][:is_admin] = false unless current_user.is_admin?
     if @user.update_attributes(params[:user])
. . .

end

BJ Clark
the science department
http://www.scidept.com/

Re: acts_as_authenticated secuirty question

chamstar wrote:

Perfect, I really need to look in to the attr_* methods, are these part of ruby or rails?

Indeed they are.

Use attr_protected like so in the user model:

attr_protected :is_admin

To alter the status a user's admin abilities,

@user = User.find(params[:id])
@user.is_admin = true
@user.save